Multi-agent reinforcement learning-based passenger spoofing attack on Mobility-as-a-Service

Cyber-physical systems, such as smart transportation, face security threats from both digital and physical realms. Recently, Mobility-as-a-Service (MaaS) has emerged as a novel transportation concept, offering passengers access to diverse mobility services via a unified platform. Central to this system is the smart MaaS coordinator, tasked with tailoring services to passengers based on their profiles and behaviors. However, the coordination of heterogeneous passengers introduces vulnerabilities, enabling malicious entities to exploit the system by impersonating priority passengers with falsified information. Effective detection mechanisms require a deep understanding of the spoofing process. This paper investigates threats to the smart MaaS coordinator, unveiling a new reinforcement learning-based attack named the passenger spoofing attack, which aims to mitigate the risk of inadvertently exposing MaaS vulnerabilities post-deployment. This attack leverages feedback from actions and experiences to manipulate system profitability and passenger satisfaction by generating false passenger information. Furthermore, our research reveals that multi-agent reinforcement learning, accounting for spatial distribution among malicious agents and passengers, strengthens the attack. Through simulations based on datasets from New York City and synthetic sources, we demonstrate that the attack can significantly reduce 70% of profit and 50% of passenger satisfaction. Spatial analysis indicates an effective distance of approximately two nodes from the origin or destination. This study enriches our comprehension of the vulnerabilities inherent in smart coordinators within MaaS, enabling the development of robust countermeasures against malicious actors.